‘I Had A Funny Feeling in My Gut’ (1999)

(washingtonpost.com)

88 points | by tosh 2011 days ago

11 comments

  • atemerev 2011 days ago
    Just in case — he didn’t have the authority to launch the missiles. His job was to evaluate the situation and give the immediate report to the top of the chain of command, if the situation is critical, and if they decide to counterattack — relay their orders (and presumably some unlock codes) to missile operators. In other words, he was at his place exactly because the command authority didn’t trust the system enough to rely on automated reports, and needed a human in the loop to make the interpretation for them.

    He decided (correctly) not to relay anything to the higher ups. However, later he was not commended for that, because his job was to make the call and tell something like “I have an alert of five incoming Minuteman missiles — I am sure though it is a false alarm from the new system”, instead of unilaterally deciding to block the message. He was right not to escalate, but if he did, it would not have immediately ended the world.

    • sciurus 2010 days ago
      According to the article, "the reports of a missile salvo were coming so quickly that an alert had already gone to general staff headquarters automatically".
      • tabtab 2009 days ago
        Re: he didn’t have the authority to launch

        While true, if he had claimed the missiles were real, those with authority may have pushed The Big Button.

  • fjcp 2011 days ago
    Chilling story, the key point to me as a programmer is:

    >According to Petrov and other sources, the false alarm was eventually traced to the satellite, which picked up the sun's reflection off the tops of clouds and mistook it for a missile launch. The computer program that was supposed to filter out such information was rewritten.

    Every programmer should read this as a reminder of how a software bug can have catastrophic consequences. And I know it's hard, as deadlines come closer, the time dedicated to find bugs drops accordingly.

    • yetihehe 2011 days ago
      It probably wasn't really a bug, but untested behaviour or designers didn't think there could be such strong reflections from clouds. I suppose there wasn't too much real data to test detection algorithms against.
      • hellbanner 2010 days ago
        Untested behavior leading to unexpected results.. is still a bug.
        • phendrenad2 2009 days ago
          Not a bug caused by programmers, but a bug caused by the domain experts who wrote the specifications for the code. I doubt the programmers writing the code were experts on cloud/satellite imagery interactions.
    • mercer 2010 days ago
      It's mildly depressing and comforting at the same time to realize that none of the code I've written or am writing will even remotely have anything close to 'catastrophic consequences'.

      At worst, the number of visitors will drop to 0 for a short while, or clients/internal users won't be able to do their job for said short while. This will quite possibly impact the bottom line of company that relies on that particular site/app/system, but any effect will be lost in the noise (and probably even underestimated, because that's how this happened in the first place!).

      While it's sort of nice that there are real-world stakes to the worst-case scenario, it's also both comforting and depressing to contemplate how relatively meaningless these stakes really are, personally.

  • imglorp 2011 days ago
    We had some oopsies too, like the time someone left a training tape in the machine. The UCUSA has a series of articles pleading for a more careful and thoughtful response instead of this hair-trigger ten minute stuff, especially in the new age of unstable leadership.

    https://blog.ucsusa.org/david-wright/nuclear-false-alarm-950

    • tabtab 2009 days ago
      We are really lucky to be alive. Then again, if an event did trigger WW3, most of us wouldn't be around to wonder what happened. It's sort of a variation on the Anthropic Principle.
  • anonu 2011 days ago
    From a system's perspective: when you build a nuke early-warning system you don't really have any good test cases to make sure your system actually works. This guy erred on the side of caution.
    • VLM 2010 days ago
      Sure you do, every space launch. Smaller ones happen all the time, not just the big famous missions. One launch from Cape Canaveral headed east, not over Moscow, is just another space shuttle mission or a probe headed toward Pluto or whatever. Two launches over the pacific is maybe an ASAT test. On thousand launches is WW3. Five launches... doesn't even make sense, maybe two legit ASAT tests along with three false alarms or two really poorly timed tests for unrelated launcher programs? Or most likely a terrible computer error?
    • Angostura 2010 days ago
      I like the idea of cautiously launching nuclear weapons just in case.
    • atemerev 2011 days ago
      You have your own missiles (with dummy warheads) to check against. This is how it is usually done.
      • codingdave 2011 days ago
        > This is how it is usually done.

        Was that typical for testing in 1983? Or is that how systems are tested today?

  • muthdra 2011 days ago
    I remember reading this elsewhere and the russian official was quoted in the lines of "It felt wrong cause if you wanna launch nukes, you launch them by the hundreds".
    • VLM 2010 days ago
      Also if you want to do a sneak attack you don't start it with the weapon your opponent can most easily detect.

      So, the control center hasn't been taken out by a cruise missile and the submarine pens are untouched and the bomber airfields check in as OK... it just doesn't make sense as a sneak attack vector. Maybe every sub launched cruise missile in the fleet failed to work; unlikely.

      Something not declassified yet, but probably would clear up a lot of confusion, is if the detector code was fooled by sunlight on clouds or whatever, the trajectory solver likely came up with bizarre results like the ICBM launch site was the center of Lake Michigan or downtown Chicago or the trajectory of the other missile has a best fit predicted impact point of Ohio or Mexico City.

      They have plenty of practice analyzing the huge horizontal velocity vector of normal spacecraft launches. A strange sunlight reflection would tend to have zero horizontal velocity; the opfor seems to be bombing its own missile sites by tossing the ICBM exactly straight up and down? That seems a little odd unless someone's trying to set off a false flag leading to a real attack.

      I would think it would be good defensive coding strategy to have different teams write and deploy the detector code vs the trajectory analysis code, such that if one messes up it really doesn't matter.

    • yetihehe 2011 days ago
      Yeah, it was in this article too:

      > Petrov's decision was based partly on a guess, he recalled. He had been told many times that a nuclear attack would be massive – an onslaught designed to overwhelm Soviet defenses at a single stroke. But the monitors showed only five missiles. "When people start a war, they don't start it with only five missiles," he remembered thinking at the time. "You can do little damage with just five missiles."

    • atemerev 2011 days ago
  • doctornemo 2011 days ago
    We need Petrov statues.
  • ausbah 2010 days ago
    This is what makes the MAD doctrine so scary in reality, little mishaps and hiccups in a fallible system that could accidentally blow the world back to the stone age.
  • jwilk 2011 days ago